Skip to content

Instantly share code, notes, and snippets.

@apoleon

apoleon/CVE-2018-18873.patch

Created January 3, 2019 10:09
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save apoleon/eb4e396b510f2bb5a925660dab09be79 to your computer and use it in GitHub Desktop.
Save apoleon/eb4e396b510f2bb5a925660dab09be79 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2018-18873.patch
From: Markus Koschany <apo@debian.org>
Date: Thu, 3 Jan 2019 10:55:16 +0100
Subject: CVE-2018-18873
---
src/libjasper/ras/ras_enc.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/libjasper/ras/ras_enc.c b/src/libjasper/ras/ras_enc.c
index 6e651bd..aaeff19 100644
--- a/src/libjasper/ras/ras_enc.c
+++ b/src/libjasper/ras/ras_enc.c
@@ -248,6 +248,10 @@ static int ras_putdatastd(jas_stream_t *out, ras_hdr_t *hdr, jas_image_t *image,
hdr->length = hdr->height * rowsize;
+ if(data[0] == NULL || data[1] == NULL || data[2] == NULL) {
+ goto error;
+ }
+
for (y = 0; y < hdr->height; y++) {
for (i = 0; i < numcmpts; ++i) {
if (jas_image_readcmpt(image, cmpts[i], 0, y,
@YourButterfly
Copy link

YourButterfly commented Jan 4, 2019
edited

maybe add a check

      if( numcmpts == 3 && (data[0] == NULL || data[1] == NULL || data[2] == NULL )) {

if the type of a ras image is GRAY, your check will mistake. GRAY raw image also has no data[1] ,data[2]
of course, my fix is not perfect,and is just a sample.

btw, the things you doing is cool, I want to do it .

@apoleon
Copy link
Author

apoleon commented Jan 4, 2019

Hi,

I don't think the additional condition is necessary because the data array is initialized here

for (i = 0; i < 3; ++i) {
data[i] = 0;
}

We then only goto error when at least one of the conditions is true data[0] == NULL || data[1] == NULL || data[2] == NULL. That should catch the gray image case too.

@YourButterfly
Copy link

I mean the gray image case should not goto error. Jasper has a function to deal with the gray image.
src

			if (RAS_ISRGB(hdr)) {            // deal with the rgb image
				v = RAS_RED((jas_matrix_getv(data[0], x))) |
				  RAS_GREEN((jas_matrix_getv(data[1], x))) |   // crash in here
				  RAS_BLUE((jas_matrix_getv(data[2], x)));
			} else {
L267:		          v = (jas_matrix_getv(data[0], x));  // deal with the gray image
			}

In a normal gray ras image(not my poc),the value numcmpts is 1 and data[1],data[2] is NULL, and binary goto line 267.
My poc make binary do with a gray ras as a rgb ras,which leads to a crash.
In your patch, the binary goto error when processing a gray image. because data[1],data[2] is NULL in the gray image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment